Alleged SIM Swapper Arrested in California

Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.

Xzavyer Clemente Narvaez was arrested Aug. 17, 2018 by investigators working with Santa Clara County’s “REACT task force,” which says it’s targeting those involved in “the takeovers of cell phone, email and financial accounts resulting in the theft of cryptocurrency.”

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car. Investigators said they interviewed several alleged victims of Narvaez, including one man who reported being robbed of $150,000 in virtual currencies after his phone number was hijacked.

A fraudulent SIM swap occurs when a victim’s cell phone service is redirected from a SIM card under the control of the victim to one under the control of the suspect, without the knowledge or authorization of the victim account holder.

When a victim experiences a fraudulent SIM swap, their phone suddenly has no service and all incoming calls and text messages are sent to the attacker’s device. This includes any one-time codes sent via text message or automated phone call that many companies use to supplement passwords for their online accounts.

Narvaez came to law enforcement’s attention following the arrest of Joel Ortiz, a gifted 20-year-old college student from Boston who was charged in July 2018 with using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

A redacted statement of facts Santa Clara prosecutors shared with KrebsOnSecurity says records obtained from Google revealed that a cellular device used by Ortiz to commit SIM swaps had at one point been used to access the Google account identified as [email protected].

That statement refers frequently to the term IMEI; this is the International Mobile Equipment Identity number, which is a unique identification number or serial number that all mobile phones and smartphones have.

Prosecutors used data gathered from a large number of tech companies to put Narvaez’s phone in specific places near his home in Tracy, Calif. at the time his alleged victims reported having their phones hijacked. His alleged re-use of the same mobile device for multiple SIM hijacks ultimately gave him away:

“On 7/18/18, investigators received information from an AT&T investigator regarding unauthorized SIM swaps conducted through an AT&T authorized retailer. He reported that approximately 28 SIM swaps were conducted using the same employee ID number over an approximately two-week time period in November 2017. Records were obtained that included a list of IMEI numbers used to take over the victims’ cell phone numbers.”

“AT&T provided call detail records pertaining to the IMEI numbers listed to conduct the SIM swaps. One of those IMEI numbers, ending in 3218, was used to take over the cell phone of a resident of Illinois. I contacted the victim who verified that some of his accounts had been “hacked” in late 2017 but said he did not suffer any financial loss. Sgt. Tarazi analyzed the AT&T location data pertaining to that account takeover. That data indicated that on 7/27/17, when the victim from Illinois lost access to his accounts, the IMEI (ending in 3218) of the cell phone controlling the victim’s cell phone number was located in Tracy, California.”

“The specific tower is located approximately 0.6 miles away from the address 360 Yosemite Drive in Tracy. Several “NELOS” records (GPS coordinates logged by AT&T to estimate the location of devices on their network) indicate the phone was within 1000 meters of 360 Yosemite Drive in Tracy. AT&T also provided call detail records pertaining to Narvaez’ cell phone account, which was linked to him through financial services account records. Sgt. Tarazi examined those records and determined that Narvaez’ own cell phone was connected to the same tower and sector during approximately the same time frame that the suspect device (ending in 3218) was connected to the victim’s account.”

Apple responded to requests with records pertaining to customer accounts linked to that same suspect IMEI number. Those records identified three California residents whose Apple accounts were linked to that same IMEI number.

A snippet from a redacted “statement of facts” filed by prosecutors in the Narvaez case.

Verizon provided call detail records pertaining to the IMEI number ending in 3218. From the statement of facts:

These records that this phone had in fact been used to access the two Verizon numbers listed above, and at the same time was connected to a Verizon celltower located approximately 1.3 miles away from 360 Yosemite Drive in Tracy, CA. This cell tower was the closest Verizon tower to 360 Yosemite Drive.

“Records obtained from DMV indicated the 2018 McLaren was purchased from a car dealership in Southern California. Sale records obtained from the dealership indicated the payment for the vehicle was made by Tiffany Ross, primarily using bitcoin, accepted by the merchant processor BitPay on behalf of the dealership. The remainder of the price of the vehicle was financed through the trade-in of a 2012 Audi R8. The buyer/s listed email address was a Gmail address. Records also indicated the Audi R8 had been purchased in June 2017 by Xzavyer Narvaez. The entire balance for that vehicle was paid using bitcoin.”

“A different Gmail address was listed under the buyer’s contact information. Google provided records indicating both e-mail addresses used to pay for the vehicles belonged to Xzavyer Narvaez.”

“BitPay provided records that identified the Bitcoin transactions in which the vehicles were purchased. Investigator Berry utilized the Bitcoin blockchain, which is the distributed public ledger of all historical transactions on the Bitcoin network, to trace the flow of the bitcoins used to purchase the McLaren back to an address attributed to the cryptocurrency exchanger Bittrex.”

“Bittrex verified that funds from Bittrex to the output address identified in the blockchain that led to the purchase of the McLaren came from Narvaez’ account, and verified the address utilized for the deposit of bitcoin into that account. The Bitcoin blockchain currently indicates that Narvaez’ Bittrex deposit address has had more than 157 bitcoin flow through it, in 208 transactions, between 7/12/18 and 3/12/18. Based on the current market value of a bitcoin, 157 bitcoins are currently worth approximately S1,000,000.”

Narvaez faces four counts of using personal identifying information without authorization; four counts of altering and damaging computer data with intent to defraud or obtain money, or other value; and grand theft of personal property of a value over nine hundred and fifty thousand dollars. He is expected to issue a plea on Sept. 26, 2018. A copy of the charges against him is here (PDF).

Federal authorities also have been active in targeting SIM swappers of late. One day after Narvaez was apprehended, police in Florida arrested a 25-year-old man accused of being part of a group of about nine people that allegedly stole hundreds of thousands of dollars in virtual currencies from SIM swap victims. That case drew on collaboration with Homeland Security Investigations, which acted on a tip from a concerned mom in Michigan who overheard her son impersonating an AT&T employee and found bags of SIM cards in his room.

All of the major wireless companies let customers protect their accounts from SIM swapping by selecting a personal identification number (PIN) that is supposed to be required when account changes are requested in person or over the phone. But one big part of the problem is that many of these SIM swappers are working directly with retail mobile store employees who know how to bypass these protections.

If you’re concerned about the threat from SIM hijacking, experts say it might be time to disconnect your mobile phone number from important accounts. We discussed options for doing just that in last week’s column, Hanging Up on Mobile in the Name of Security.